In one of the largest international cyber law enforcement actions seen to date, the Hive ransomware cartel’s infrastructure was hacked, its decryption key “stolen” and distributed to victims, and its servers seized, bringing an end to an 18-month crime spree that had stolen over $100m from around 1,500 victims including hospitals, schools, financial services organisations and critical infrastructure.
The extent of the operation, revealed for the first time yesterday (26 January) by the US Department of Justice (DoJ), was such that it pulled in law enforcement agencies from Canada, France, Germany, Ireland, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the UK and the US, with the European agencies coordinated through Europol.
With the FBI leading the way, Hive’s infrastructure was first penetrated in July 2022 and its decryption keys exfiltrated. The keys have since been handed out to 300 Hive victims under active attack, and over 1,000 previously attacked victims, saving an estimated $130m (£105.1m) in potential ransom payments. An independent researcher made a Hive decryption tool available at approximately the same time – it is not known if there is a link to the operation.
Then, earlier this week and working with the Dutch national cyber crime unit, German federal police and local authorities in the state of Baden-Württemberg, the FBI was able to seize control of the servers and websites that Hive used, disrupting the gang’s ability to attack and extort any more victims.
“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cyber crime as it does to perpetrators,” said deputy US attorney general Lisa Monaco.
“In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130m in ransomware payments. We will continue to strike back against cyber crime using any means possible and place victims at the centre of our efforts to mitigate the cyber threat.”
Paul Foster, deputy director of the UK National Crime Agency’s (NCA’s) National Cyber Crime Unit, added: “Hive was a service which enabled cyber criminals to steal millions from businesses across the globe, with several UK organisations suffering significant disruption and financial losses.
“The combined might of international law enforcement, which includes NCA officers, is a tremendous example of action to take down illegal IT infrastructure. We continue to work closely with partners to bolster our capability to tackle this national security threat and strengthen the UK’s response to cyber crime.
“I would urge any businesses that may have been a victim of cyber crime to come forward and report such incidents to law enforcement.”
Hospital hit by Hive was forced to turn away patients
Despite its relative youth, the Hive ransomware cartel was firmly established as one of the more prolific and dangerous ransomware-as-a-service (RaaS) operations, operating a subscription-based model whereby it recruited affiliates to do its dirty work while taking a 20% cut of ransom payments for itself.
At one time the most prolific ransomware family observed by incident responders at Google Cloud’s Mandiant, accounting for 15% of intrusions to which it responded last year.
The ransomware locker itself was under active development and was notably entirely rewritten in the Rust programming language in mid-2022, likely in an attempt to hinder analysis and throw researchers and investigators off its trail. Rust is one of a number of multiplatform languages valued by RaaS operators for their flexibility and ability to quickly and easily target both Windows and Linux environments.
Hive was used by multiple actors, according to Mandiant, but one of the most enthusiastic Hive operators was UNC2727, also tracked as Gold Ulrick or Wizard Spider, which was previously known as the Conti ransomware operation that targeted the Irish Health Service Executive in May 2021.
The affiliates accessed their target networks using a number of tried-and-tested methods, often through single factor logins via the remote desktop protocol (RDP) tool, but also using virtual private networks (VPNs) and other remote network connection protocols, exploiting FortiToken vulnerabilities, and phishing emails containing malicious attachments. Hive affiliates are also known to have exploited the ProxyShell vulnerability chain in Microsoft Exchange Server.
The malware used the well-established double extortion technique which not only encrypted victims’ data and rendered it inaccessible, but also stole and published the data on a dark web leak site, causing further distress and embarrassment, and acting as an additional “incentive” for its victims to pay up. It caused major disruption to victims’ operations, in one case attacking a hospital that had to resort to analogue methods to treat existing patients, and was unable to accept new patients in the wake of its attack.
In the UK, the NCA said that Hive affiliates had hit approximately 50 victims, including in the housing, haulage, commercial and education sectors.
Cyber crime market will prove resilient
However, despite the success of the joint operation, experts tend to assess that the ransomware underground will take the disruption of Hive very much in its stride. Indeed, it is possible, even likely, that individuals associated with Hive are already firming up links with other operations – similarities have already been noted between Hive and an emerging ransomware, Play, thought to be behind the December 2022 attack on UK car dealer Arnold Clark.
John Hultquist, head of Mandiant Threat Intelligence, said: “The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system.
“Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.”
He continued: “Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand. When arrests aren’t possible, we’ll have to focus on tactical solutions and better defence. Until we can address the Russian safe haven and the resilient cyber crime marketplace, this will have to be our focus.”